Need help with Rex query to get count by Image typ...

harishnpandey · ‎08-17-2017

index=xyz "The Key is not in cache the source Code:" |rex field=_raw ":(?\w+)" | stats count by imagetype

However, it is giving me output as below:

Imagetype    Count
00           14
01           7
02           5
03           11

Instead, I was expecting below :

Imagetype Count
JPEG      1
TIF       05
GIF       07

Appreciate your help on this

 2017-08-18T03:34:06+00:00 vxdev-pp03 [8/17/17 23:34:06:045 EDT] 0000d635 PersistenceMo I   The Key is not in cache the source Code:JPEG
 2017-08-18T03:14:24+00:00 vxpup-pp04 [8/17/17 23:14:24:131 EDT] 0000d61d PersistenceMo I   The Key is not in cache the source Code:TIF
 2017-08-18T02:10:16+00:00 vxpup-pp05 [8/17/17 22:10:16:009 EDT] 0000d4a9 PersistenceMo I   The Key is not in cache the source Code:GIF
 2017-08-18T03:44:06+00:00 vxdev-pp03 [8/17/17 23:34:06:045 EDT] 0000d635 PersistenceMo I   The Key is not in cache the source Code:JPEG
 2017-08-18T03:14:54+00:00 vxpup-pp04 [8/17/17 23:14:24:131 EDT] 0000d61d PersistenceMo I   The Key is not in cache the source Code:TIF

kmorris_splunk · ‎08-17-2017

Assuming the messages above are the entire event, you could do something like this:

BASE SEARCH | rex field=_raw ":(?<imagetype>\w+)" | stats count by imagetype

harishnpandey · ‎08-18-2017

index=xyz "The Key is not in cache the source Code:" |rex field=_raw ":(?\w+)" | stats count by imagetype

However, it is giving me o/p as below

imagetype Count

00 14
01 7
02 5
03 11

Instead, I was expecting below :

imagetype count
JPEG 14
TIF 05
GIF 07

Appreciate your help on this

kmorris_splunk · ‎08-18-2017

You were missing the name for the capture group (imagetype for example) in the rex expression.

DalJeanis · ‎08-18-2017

You can't get that result output with the input you gave. Go back and cut/paste the exact input messages into your question.

harishnpandey · ‎08-18-2017

2017-08-18T03:34:06+00:00 vxdev-pp03 [8/17/17 23:34:06:045 EDT] 0000d635 PersistenceMo I   The Key is not in cache the source Code:JPEG
2017-08-18T03:14:24+00:00 vxpup-pp04 [8/17/17 23:14:24:131 EDT] 0000d61d PersistenceMo I   The Key is not in cache the source Code:TIF
2017-08-18T02:10:16+00:00 vxpup-pp05 [8/17/17 22:10:16:009 EDT] 0000d4a9 PersistenceMo I   The Key is not in cache the source Code:GIF
2017-08-18T03:44:06+00:00 vxdev-pp03 [8/17/17 23:34:06:045 EDT] 0000d635 PersistenceMo I   The Key is not in cache the source Code:JPEG
2017-08-18T03:14:54+00:00 vxpup-pp04 [8/17/17 23:14:24:131 EDT] 0000d61d PersistenceMo I   The Key is not in cache the source Code:TIF

harishnpandey · ‎08-18-2017

above is my exact input

vemurisurya · ‎08-18-2017

Try this
<.search> |rex field=_raw "(Code:(?P\w+))" |stats count by Code

harishnpandey · ‎08-18-2017

Tried . it throw below error

Error in 'rex' command: Encountered the following error while compiling the regex '(Code:(?P\w+))': Regex: unrecognized character after (?P

vemurisurya · ‎08-18-2017

BASE SEARCH |rex field=_raw "(Code:(?P<Code>\w+))" |stats count by Code

harishnpandey · ‎08-18-2017

Thank you Surya & Morris for your help .
it works now

Need help with Rex query to get count by Image type

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor